Why are banks often tempting targets for criminals and terrorists alike? Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), recently reminded us: “…because that’s where the money is.” But what most worries the Comptroller is not a modern-day Bonnie & Clyde or John Dillinger attacking banks from without, but rather scofflaws, “hacktivists,” terrorists and foreign regimes exploiting vulnerabilities in the financial industry’s cybersecurity and striking from within. Over the last few months, Mr. Curry has taken to the speaking circuit, venturing from the Consumer Electronics Show (CES) Government Conference last April to the New England Council in May to raise the question of how vulnerable the nation’s financial sector is to cyber-attack. Mr. Curry noted that while consumers are rightfully concerned about the security of the financial tools they use on a daily basis—from credit card readers at the mall to Internet bill pay and online banking—many do not consider “what goes on behind the scenes” to process these transactions. “Yet the impact of a cyber-attack on those systems could be even more disruptive than a data leak at a large retail store,” Mr. Curry told the CES. “It’s one thing to worry about whether someone is making charges on your credit card . . . . It’s quite another to worry about whether the accounts that hold your life savings are secure.” Some of that vulnerability in the system comes from the “banking industry’s significant reliance on technology and telecommunications,” as well as the interconnectivity between banks and their third party vendors. Comptroller Curry mentioned that third party vendors providing necessary support to large, small and community banks have been an area of concern for the OCC for some time. Because many third party vendors “have connections to other institutions and servicers . . . . each new relationship and connection provides potential access points to all of the connected networks, thereby introducing new and different weaknesses to into the system.” Further, the degree that banking institutions are relying on foreign vendors to support critical activities and granting third parties access to sensitive bank and customer data poses a particular threat to the industry’s security and reputation. While all of these risks can be managed, “what concerns [the OCC] is that risk management practices haven’t always kept pace with the risks [financial] institutions take on.” Mr. Curry’s speeches mark the latest effort by federal regulatory agencies to address the vulnerabilities of financial institutions due to the industry’s reliance on third party vendors to handle critical business tasks. As we have addressed before, both the OCC and the Federal Reserve issued new guidance in late 2013 regarding financial institutions and their third-party relationships. The Consumer Financial Protection Bureau issued similar guidance in 2012 with even broader applicability. One implication of these new rules is that while financial institutions can hire third party vendors to manage certain business tasks, they cannot delegate “the consumer protection, operational, and reputational risks related to third party activities conducted on their behalf;” thus the banks bear both the risks and the burdens of errors that their third party vendors make. Consequently, banks are now expected to continuously monitor the activities of third party vendors throughout the life of the relationship, and outside vendors are required to comply with the regulations that their banking partners would be subject to had the banks chosen to instead handle those delegated tasks themselves. Potential for Conflicting Priorities At their heart, Comptroller Curry’s remarks and the new guidance from both the OCC and the Federal Reserve seem most concerned with making the banking industry more secure so that the integrity of the financial system is protected. But in the post-Snowden world, companies, particularly those in the technology industry, are finding that there is a great incentive to be seen by customers as safe custodians of their personally identifiable information (PII)—not only from nefarious intruders, but from the government as well. Last May the Electronic Frontier Foundation (EFF) published its fourth-annual “Who Has Your Back?” report, which ranked the efforts of major Internet companies